Terminally Incoherent

Not so long ago my university’s email got blacklisted by Comcast and Microsoft due to large amounts of spam streaming from our network. This lovely email explains the details of the situation:

To Our Campus Community-

Information Technology has received several reports from users that email sent from mail.montclair.edu accounts to Hotmail.com, MSN.com, and Comcast.net email addresses are being returned as non-deliverable.

Upon further investigation we have determined that Hotmail and MSN (both owned by parent Microsoft Corp.) as well as Comcast have put the montclair.edu email domain on a “blacklist’ for alleged spam activity and are temporarily refusing to accept mail from our campus server.

Information Technology has contacted all three ISPs to request that our domain be removed from their blacklists. As of this writing, only Comcast has responded to our request and removed us from their blacklist.

How did this happen?

Last week there was an email “phishing” scam circulating that asked users to respond with their email account name (NetID) and password. A handful of users contacted IT to say that they had mistakenly responded to that phishing scam and provided their NetID and password. It is likely that other users may have done something similar but have not yet contacted IT.

Even just a few compromised mail.montclair.edu accounts can be used by spammers to send thousands of spam messages from our domain. We believe it was exactly this scenario that landed us on the Hotmail, MSN, and Comcast blacklists.

Note: If you responded to the phishing scam last week please change your NetID password immediately by going to the NetID account form at https://netid.montclair.edu

As a reminder: Montclair State’s Division of Information Technology will *never* under any circumstances ask you to provide your password, social security number, or other personal information via email. Any email you receive asking for such information, regardless of the alleged source, should be considered fraudulent and deleted immediately.

We apologize for any inconvenience this situation has caused, and will update this list as soon as we get confirmation of our removal from the Hotmail and MSN blacklists.

It seems that the issue was resolved quite swiftly the same day actually. Here is the follow up email:

To Our Campus Community-

This is an update to my previous email regarding blocked email delivery to Hotmail.com and MSN.com accounts.

As of 6am this morning, Friday August 8th, Microsoft Corp has lifted the anti-spam block for mail.montclair.edu and is now accepting mail from our domain. Any messages that you had attempted to send to Hotmail or MSN address that were returned as non-deliverable will need to be re-sent.

Again, we apologize for any inconvenience this temporary block may have caused. We hope that through continued diligence by our user community to avoid phishing scams, and some additional configuration of our outbound mail gateway we can prevent further blacklisting incidents in the future.

Then it happened again:

To Our User Community-

Information Technology was alerted late last night (Sunday August 17th) that Hotmail.com and by affiliation MSN.com have again placed the mail.montclair.edu domain on their blacklist for alleged spam activity.

We have contacted Microsoft and they have indicated that the blacklisting will be lifted tomorrow, August 19th at Noon. Until then,
any mail sent to hotmail.com or msn.com addresses will bounce back as non-deliverable.

It is unfortunate that Hotmail/MSN has taken this action without any pro-active notification to the University and without any detail as to what conditions caused us to be blacklisted.

In the coming weeks Information Technology will be reviewing our anti-spam policies and the configuration of our outbound email gateways in an effort to minimize these arbitrary blacklisting incidents by Hotmail and other major ISP’s.

Being blacklisted once is bad enough. Being blacklisted twice indicates that OIT didn’t learn anything from the first incident, and failed to take any preventative actions. I don’t think we can dump this on users alone. After all, every organization, and corporate entity out there has a number of computer illiterate staff members who are likely to fall pray to phishing. And yet they somehow manage to steer clear from these blacklists. User education is important, but it is hard to teach people who hardly ever use email about email security.

This is not a user problem - this is an institutional issue. I personally believe that OIT (MSU’s IT branch) could have prevented this from happening by immediately taking couple of preventative steps and tightening their security policies after the first incident. The following three questions are the key to understanding what went wrong here:

1. How do Phishers and Spammers obtain valid MSU emails?
2. How do we prevent compromised account from sending massive amounts of email?
3. How do we identify compromised accounts and disable them before they become a liability?

The first question is trivial. The answer is located on the OIT page itself, and if you ask a random computer science student hanging out in the CS Department area he/she will probably be able to show you how to poll university systems for emails, and brag about their perl/python script which can pull thousands emails according to some rules or self imposed requirements (ie. stealth, speed etc..) from anywhere in the world, and without any authentication. Yeah, we all wrote those. I think most of us give up trying to alert the OIT about this around the sophomore year and just learn to accept it. I never gave my script to anyone, and deleted the email addresses I collected from my hard drive. I could have sold them to spammers - and so could other students. How many of them did? That’s a good question. Besides, I’m pretty sure that if we figured it out quite a few spammers figured it out as well by now.

The other two questions are there for OIT. I don’t know the answers. I suspect that the first one is probably “we don’t”. There is storage quota but I believe there is no email volume quota on student accounts which is both a good thing and a bad thing. It is a good thing, because quota’s suck. It is a bad thing because a compromised account can really spew out large amounts of crap before someone notices anything. I trust that someone is watching over these things. At least I hope that there is a monitoring script somewhere that sends out an email to the sysadmin saying something among the lines of: “BTW, you might want to know that this one student just sent 10 million emails yesterday”. But alas, I do not know whether we have it or not. I can just hope we do.

I believe there is a policy for disabling compromised accounts but I don’t know whether there is a process. And if there is, it is obviously not efficient enough if we get blacklisted this easily. My solution would be to look at question #1 REALLY closely, because that is the big one. Fix that, then revise the process, and perhaps introduce some generous quota and more aggressive monitoring.

There is not much I can help with from the institutional part though. I don’t really have a say in these matters. I can however help with the user education, ~30 students at a time. And this is what I will do. The coming semester I will try to put more emphasis on Phishing, Pharming, online scams and social engineering in general. That will be my input into fixing this issue. OIT has to do the rest.

Over the last 2-3 years I noticed that making students read email is almost as hard as making them do homework assignments on time - if not harder. It’s like pulling teeth. And yet, we sort of rely on this medium to communicate with the students to exchange information, and send out announcements. There are of course LMS which can facilitate communications but in my experience students only log into these things if they need to. For example, there is no way I could post an announcement that a class is canceled the night before, and expect all students to actually read it.

This is why we have email. The assumption is that most people check their emails quite regularly so if I send a broadcast message to all my students (via the LMS for example) about canceling class the next day, they will probably see it that save evening, or at the very latest the next morning. Unfortunately it doesn’t work like that. Whenever I send an email broadcast to my 30 students I usually get 16-18 messages bouncing back to me saying that the user’s inbox is over quota. In MSU land of crazy this basically means that the student haven’t logged in to his account in few weeks, and it basically got filled with SPAM. Once the quota is reached the mail server won’t accept any new messages and will bounce them back to me.

Of course this could mean that college students simply don’t check their .edu inboxes which is not that surprising. But this is not the case either. My younger brother, who is a representative of the very same demographic that I teach these days lives without email. Our mother lives in Poland, and she recently got herself connected to the internet and discovered that she can use email to communicate with us much faster and more efficiently than via snail-mail and much more frequently than via phone calls. Only my brother never read any of her emails, because he only logs into his Yahoo account when he needs to confirm registration for some new service. The only effective way of reaching him was sending an email to his cell phone using Verizon’s Email to SMS gateway. It’s actually quite straightforward - you just send email to yourmobilenumber@vztext.com.

I believe that my students share a very similar attitude towards email. As I said previously, this is especially prevalent amongst technologically inept students. Those with clue seem to be more likely to check their email regularly for some reason. Those without it, shun email. Their major modes of communication are social networks (such as Facebook and MySpace), IM and text messaging.

If we want to communicate with them efficiently, we probably should look into using their preferred media rather than trying to force them to use email which they do not understand, and which they fear.

There is a slight problem here though. While some professors successfully utilized social networks such as Facebook for in-class communication I’m not very keen on doing this. For one, the user base is fractured between different networks - each being it’s own exclusive walled garden. They all have cumbersome, clunky email-like private messaging systems. But of course they don’t offer any easy way to forward, poll, or aggregate your messages and force you to log in, and navigate through their interface to read them. It’s a communication nightmare, and I don’t want to deal with it.

IM is too direct - it’s a point-to-point, real time communication system and doesn’t really work for notifications, and broadcast messages that well.

So we are left with texting. But this medium is also problematic because just as I don’t want to give my mobile number to my students, they sure don’t want to give theirs to me. Still, texting my students with “Class canceled tomorrow” or “Remember to submit Homework 3 by Tuesday” would be the most direct method of communication - and one that guarantees the highest margin of success (and by success here I mean having the student actually reading the damn message).

The logistics of implementing this would be rather straightforward. You could simply set up a moderated listserv for your classes. Students would send a text to the listserv address using the format provided by their carrier. This would probably require some explaining, but there are only like 3-4 viable formats you are likely to encounter out of which two (Verizon and Sprint) are trivial and straightforward. Most popular carrier have SMS to Email and Email to SMS gateways these days. In my area for example, most people use Verizon, AT&T, Sprint or T-Mobile. I haven’t really seen any other carriers around here.

So I listserv would work for most people. A teacher could send a message to the list via his email, and have it broadcast to the group. Any replies would be forwarded back to his email but not to the group. This way we get two way communication between the teacher and students, each using their preferred medium (email for the teacher, text message for the student). Furthermore, students would be unable to spam each other via the list, and the teachers’ mobile phone would be safe from being overwhelmed by torrent of student inquires.

That still doesn’t solve the issue of privacy, since the teacher would be able to see the mobile numbers subscribed students. Then gain since most SMS gateways use emails of the form phonenumber@carrrier.com this would not provide the teacher with a direct 1-1 mapping between a student and a number. So while the teacher would have a list of 30+ mobile numbers, he might only be able to associate a fraction of them to actual student names - and only when those students choose to reply, and identify themselves.

Ideally, I’d prefer to have the list maintained by someone like OIT, and have the reply-to headers mangled (perhaps replaced by a hash of some sort). This way both teacher and student could communicate via the listserv like service without ever seeing their actual mobile numbers. This would be a bit trickier to implement but not out of the realm of possibility.

Ideally it would be an opt-in service which and students would be able to unsubscribe at any time. There would be a guarantee of privacy and reassurance that neither the teacher not any other student will never see their actual phone number. And of course the instructor would have to keep the number of messages down to minimum to take it easy on those without unlimited texting plans. I’d like to average somewhere below 1 message per week.

What do you think? Could it work? Should we build something like this? Would there be institutional support for something like that? Would professors buy into it?

An interesting tidbit of pseudo-scientific news from nature.com:

Durham University researchers think that physics, chemistry and biology are a grade harder than drama and media studies and three-quarters of a grade harder than English at ‘A-level’, roughly equivalent to high school diplomas. (…)

“This research shows that science and technology subjects are much more severely graded than subjects like media studies and art,” says Robert Coe, author of the new report on the subject that’s stirred things up (press release).

To reach this conclusion Coe reviewed a host of previous attempts to determine the relative ‘difficulty’ of subjects and conducted his own analysis on examination data from 2006. His work found similar results from five different statistical methods, all of which are rather complicated (maths is hard remember).

These methods either compare the performance of the same candidate in different exams or compare exam grades between people of similar ability, as determined by a reference test of some kind. Science and maths subjects were all at the top of the difficulty range.

Just to stoke the fires a bit, Coe notes, “A student with a grade C in Biology will generally be more able than one with a B in Sociology, for example.”

Duh! No shit sherlock. That’s because science and math can only be graded objectively. You either get it or not. You either answer the question correctly, or incorrectly. There is a leeway for partial credit there, but in most cases to get it you still need to show understanding of the problem. Media studies and art on the other hand… Let’s face it, I don’t even know what media studies is.

Grading art is problematic, because we do not have a quantitative measure for creativity and originality. One art teacher may thing your work is brilliant and innovative, while another may consider it shallow and unimpressive. It is all matter of taste and opinion. And of course some people simply lack the talent or the spatial skills to actually create good art. Therefore most in class art projects are graded on how well students followed the directions, and how much work and effort they put into their work. Which again is a subjective measure.

In a lot of humanities classes, the grade reflects how good you are at bullshitting and not your mastery of the material. Let me tell you a little story. My senior year in college I took “Cultures of the Middle East” class because I needed to fulfill the “Non Western Perspectives” course requirement. The final exam was part general knowledge based multiple choice quiz, and par essay in which we would have to discuss one of the 6 short stories which I neglected to read. Before the test a friend who did read them primed me with basic plot outlines, and names of main characters. The test question was to compare and contrast the changing roles of women in the middle east as depicted in the stories. I got and A. Why?

I assume it’s because the grader was looking for specific set of issues, ideas - or key buzzwords to be mentioned in the paper. And I was able to hit all of them based on what I knew about social customs in the area, the brief plot outlines and the general direction of in-class discussions. In a very similar way many literature and sociology and philosophy students can cost through classes relying on nothing more than cliff notes and a decent writing style. More often than not your task when writing a paper for one of such classes is to interpret, analyze or express an opinion and argument using examples. Very often your thesis may be wrong and misguided but with a little creativity you can make up argumentation to support it and make it look like the text is supporting them and get away with it.

Science and math are really clean cut, formalized and no nonsense subjects. You can’t gloss over details. You can’t “creatively” interpret your data. It is due or die. You just have to learn it, and understand it - there is no room for bullshitting, hand waving and any of that stuff. So it’s not that science is inherently harder. It’s because science is inherently easier to test accurately. It is not very difficult to design a decent set of questions which will test ones knowledge of a given scientific subject - and it is fairly easy to grade. Here is the answer key - if the students write something else, mark it wrong. That’s it.

Art, sociology and literature on the other hand… It takes some skill and experience to make up questions that will show that students really “read” the assigned text, and really understood it.

But that’s just my opinion. Feel free to prove me wrong and argue in favor of your favorite subject in the comments.

Here is a short excerpt from a longer article someone posted to the MSU [discuss] list the other day. I found it somewhat interesting because it is actually like the only vaguely on topic message on that list I saw in months.

It’s unusual to walk into a law class, or any classroom in a professional school today, without viewing a sea of open laptop lids blocking students’ faces and hearing the steady hum of fingers striking keyboards.

But a growing — albeit small — number of law professors like Mr. Herzog are pushing back. Students with laptops, they argue, surf the Web instead of engaging in class, and play games, shop online, or e-mail friends, distracting themselves and those who sit near them. The complaints highlight how technologies once eagerly adopted by colleges can later pose problems.

Aside from the Michigan campus, others where law professors have banned laptops include Florida International, Georgetown, and Harvard Universities, and the University of Wisconsin.

Business-school professors, too, complain about laptops’ sabotaging discussions. As a result, some business professors are asking students to close their laptops during conversations.

The backlash appears to be primarily in the law schools, however. Law professors say the Socratic method, the cornerstone of a legal education, in which professors ask students to accept or refute a long series of questions, is under assault by the vast array of amusements available to students on their laptops. The learning method calls for focused interaction between students and professor, as he or she tests their assumptions. Laptops, psychologically and literally, get in the way.

The Chronicle of Higher Education: Information Technology, Volume 54, Issue 40, Page A1

I find that very telling that the Law and Business professors are the ones spearheading this Luddite movement of technology hate. It’s completely unsurprising considering the track record of business school students.

The running joke is that if you have absolutely no idea what to do with your life, no ambition, no drive and no desire to study you sign up for a business program. If, on top of all of the above you can’t do basic arithmetic or operate Excel then you usually go into law. Don’t get offended. I mean, all Math/Science students are considered antisocial nerds by the outside world so I think it is only fair if we retaliate a little bit with stereotypes of our own.

So you can see why I’m not surprised why law professors scoff at laptops in the classroom. They don’t know how to utilize technology in the classroom and their students are probably not using it constructively either. I don’t think I need to mention that using a laptop in most CS classes is invaluable. Especially when you are learning about new programming language or technology it lets you actually try the examples outlined in the lecture in real time.

Some people actually do take notes this way. I tried it couple of times with mixed results in grad school. My biggest problem was that in most classes we did a lot of drawings, diagrams, tables and etc. For me a perfect note taking tool would probably be a tablet with OneNote like software. Unfortunately I never owned one. I could see however how taking electronic notes using a regular laptop in a law related course would be much easier for a fast typist.

I would usually use my laptop to follow along with the PowerPoint presentation. Most professors made their lecture slides available online and this allowed me to flip back and forward through the slides - sometimes out of sync with the lecture - for example to go back few slides to a concept that I did not fully understood as it was explained. I’d also pull up old notes, google unfamiliar terms and try to find interesting arguments and counter-examples to what was being taught in class. So yes, I was browsing the web, but usually constructively.

comic © Doonesbury

As a teacher I have limited use for laptops during the lecture portion of the course, but I sometimes engage my laptop wielding students and make them do some work - for example google some interesting term and read the definition to the class or try out something that I just explained - which can be easy when you are teaching basic computer concepts. The lab portion when they learn how to use MS Office and make HTML websites is a whole other thing.

Naturally given a chance students will browse the web, update their facebook and IM each other. There is no way around it. But I guess this is a matter of personal responsibility. I mean, we are talking about college here. Your students should be responsible adults and they are actually paying large sums of money to be in your class. If they want to waste the time and money by browsing the web that is their problem.

This actually touches on a problem that pains me greatly. I honestly believe that attendance should be optional. I would much rather conduct a class for only the people who actually want to be there, participate and ask questions than force students to sit there and be bored out of their mind, checking their watch every 5 minutes and sneering, and rolling their eyes every time another student asks a question or tries to engage in a discussion. Unfortunately this doesn’t work. I tried this optional attendance thing my first semester as a teacher and I ended up with 6 people showing up one day, and 3 leaving halfway through the lecture. It is silly, irresponsible and kinda stupid. If you don’t want to sit in a given class, why take it at all?

Banishing laptops out of your classroom because some people don’t care to participate in the class, or simply can’t resist the online distractions seems like a step backward. We will have more technology in the classroom in the future - and not less. And pen & paper notes have many huge disadvantages. They can’t be shared and disseminated easily. They can’t be searched, tagged and cataloged. And of course they are easily lost and damaged. If I wanted to look through some of my old class notes from my undergrad classes right now, I would have to dig though boxes papers sitting in a dark corner of my closet or somewhere in the attic. The electronic or scanned notes that I took as a grad student on the other hand are still here sitting on my hard drive. Think about that before banning useful technology out your classroom.

I previously wrote about two of my observations regarding use of email among the young and technologically clueless college students. First observation was that none of my students ever had a straight POP3 or IMAP email account in their life. Every single email account they have ever used had a webmail interface and so in their minds, email is something that you do on a webpage. Email client to them is an oxymoron or some strange archaic piece of software, about as useful to them as a floppy drive.

Their primary mode of communication is IM, texting and naturally Facebook/Myspace. Email is something you when you need to send Christmas wishes to your grandmother, or complain about your grade to your professor.

Second observation was that if allowed, most of my students (as well as my coworkers) will try to avoid ever managing the file system directly. They use their desktop or My Documents folder as a big Temp file, and either delete files from it afterwards, or just ignore them and live with the mess. Very rarely do I see thought out directory trees or any hierarchical sorting in the file system on their machines.

My third observation is a direct outgrowth of the second one, and is related to the first. Since students no longer really use email as primary communication tool they decided to use it for something else - storage. They understand email, but do not understand the file system. So whenever they want to save something for later, they just email it to themselves - and i t becomes instantly available to them from anywhere via an easy to use web interface.

I think this mentality is heavily influenced by student mobility. Since not everyone owns a laptop, some people find themselves working on computers they do not own - for example workstations in a public computer lab, a laptop borrowed from a room mate, their home desktop and etc… How do you easily transfer files between computers in such an environment? You could use a flash drive but these are easy to loose or forget. Online storage is the only reliable way to handle it. And what is the easiest way to implement online storage? Via email of course.

I have to admit that I’m guilty of using my email this way as well. Each day I alternate between my home desktop, my work laptop, and one of the 3 or 4 teacher workstations at school. When I’m in a hurry I will sometimes send something to myself to pick it up from a different machine later because it is often the fastest, and least complicated thing to do. That of course doesn’t mean I approve of this behavior. To me it just doesn’t feel right. Email was not meant to be used this way and the whole procedure is silly. Your file ends up being stored twice - once in the inbox, once in the Sent Mail folder, and it makes a short trip between the webmail server, the outgoing server, the incoming server and back to the webmail. It’s a waste of bandwidth and it bothers me.

Are there alternatives? Yes, but none are as convenient or n00b friendly. Ideally, you would want a web service which is as easy t use as email whose sole function would be providing you with online storage. One such service I have been using recently is Xdrive. It’s not perfect though. Their online interface is horrid - cluttered, counter intuitive, and way to busy with buttons, panels and color. It insists on showing you your files both as a list and as a tree at the same time. It also has an impressive array of buttons, links and controls which are often redundant. It is the quintessential AOL school of design - seeing how these are the folks behind the application.

While I’m on the topic, I wanted to mention that there are two distinct ways to design your UI. There is the interface driven way, and the content driven way. The former puts emphasis on buttons, panels, levers, switches and blinkenlights and then stuffs contents into some small view port hole surrounded by interface elements. The later shows you content, and tries to minimize interface elements handling interaction in context aware way. Google excels at making context driven interfaces both for the web and for the desktop. Everyone else seems to be falling short in the web based area. AOL was always notorious for creating horrid interfaces that looked sleek, but were barely usable.

So it’s surprising that Xdrive Lite client is a content driven application. It sports a much cleaner interface, with much fewer buttons. There is virtually no clutter and the app is extremely easy to use. You copy files to your online storage space by simply dragging and dropping them from your file explorer application. It is actually working fairly well in Linux but not thanks to AOL or Xdrive naturally. It works because Adobe Air now runs on linux and so, accidentally the Xdrive client does too. File manipulation and downloads are done via clear, intuitive context menus.

I must say that I really like this app. So I often use it to shuffle small files between my work computer, my home desktop and my laptop in a hassle free way. It works great, it is light on resources and feels much more appropriate than spamming my own inbox.

Still, this is not a perfect solution for my rather clueless students because they inherently despise client software. Installing something is always a hassle. AIR apps install rather quickly and easily, but you need to have AIR installed first. So it is at least a 2 step procedure. Not to mention that public lab computers often do not have admin privileges that would allow them to install stuff. The web interface on the other hand is just to clunky to be useful. They’d have to learn to use it, and I’m sure that this would be a nuisance.

All our students naturally have Novell Netdrive accounts but the web interface for that thing was also designed by professional contortionists. I make them use it when they create HTML websites but I often must walk them through the process 4 to 5 times before it starts sinking in. Not that it is hard, or complex - it’s just new, and not very intuitive. Or rather what is intuitive to me (public websites go into PUBLIC_HTML folder) is alien and incomprehensible to them. Logging into webmail and emailing themselves is just more convenient, straightforward and familiar. I could try to break this habit, but then again who am I to say how people should use technology that’s available to them. If they want to use email as storage, then more power to them I guess… No matter how that annoys me.